|Publication number||US6219786 B1|
|Application number||US 09/150,264|
|Publication date||17 Apr 2001|
|Filing date||9 Sep 1998|
|Priority date||9 Sep 1998|
|Also published as||DE69929268D1, DE69929268T2, EP0986229A2, EP0986229A3, EP0986229B1|
|Publication number||09150264, 150264, US 6219786 B1, US 6219786B1, US-B1-6219786, US6219786 B1, US6219786B1|
|Inventors||Mark Cunningham, Andrew Trevarrow|
|Original Assignee||Surfcontrol, Inc.|
|Export Citation||BiBTeX, EndNote, RefMan|
|Patent Citations (8), Referenced by (231), Classifications (16), Legal Events (7)|
|External Links: USPTO, USPTO Assignment, Espacenet|
The invention relates generally to a method and system for managing access control to resources of a distributed network, and relates more particularly to monitoring and controlling computer users' access to network resources from both inside and outside the network.
There are a number of available topologies for computer networks of nodes. A computer network may be highly centralized, having a mainframe computer that is accessed by a number of user computers, such as desktop computers. Currently, the trend is away from centralization and toward distributed processing and client-server relationships. In a distributed network, intelligence and processing power are distributed among a number of network nodes, typically with client workstations communicating with distributed servers. Other relationships among nodes of a network are known.
A network of nodes may be associated with a single enterprise, such as a local area network (LAN) of a particular business. Such a network enables communications and data exchanges among the various nodes of the network. A single protocol may be used in the accessing of resources within the LAN. Thus, when a first node, such as a client workstation, accesses the computing resources of a second node, such as a server for storing various applications, data is exchanged without requiring a protocol conversion.
However, the largest and most pervasive network is the nonproprietary global communications network referred to as the Internet. A number of different network protocols are used within the Internet. Protocols that fall within the Transmission Control Protocol/Internet Protocol (TCP/IP) suite include the HyperText Transfer Protocol (HTTP) that underlies communications via the World Wide Web, TELNET for allowing access to a remote computer, the File Transfer Protocol (FTP), and the Simple Mail Transfer Protocol (SMTP) to provide a uniform format for exchanging electronic mail, as well as a number of standardized or proprietary protocols for multimedia and broadcast services.
An implementation of these and other Internet protocols solely within an organization is often referred to as an Intranet, while the use of such protocols across a restricted set of Internet sites that are relevant to a particular organization is referred to as the organization's Extranet.
Much attention has been given to installing computer network gateways which focus on ensuring that potential intruders (sometimes referred to as “hackers”) cannot gain illegal access via the Internet to an organization's computing resources on their Intranets. These gateways are “choke points,” through which network traffic that is to be controlled must flow. Such “firewalls” are configured to allow any outbound connection or traffic to occur, but to restrict inbound traffic to specific services that are deemed to be non-threatening to the organization. Firewalls may also perform a limited amount of “packet filtering,” which attempts to control traffic by reference to non-contextual, low-level network packets.
An issue that receives less attention is ensuring that the employees of an organization are appropriately managed. This management extends to accessing external computer resources and accessing internal computer resources. The management may be set forth in an access control policy of the organization. With respect to many aspects, the management is the converse of the problem that firewalls are intended to solve. While firewalls are focused on keeping intruders from gaining unwanted accesses, access control systems are focused on ensuring that insiders are managed according to the access control policy of the organization.
There are a number of motivations for implementing an access control policy within an organization. With regard to controlling external communications, two important reasons are maximizing employee productivity by ensuring that Internet access is used primarily for business purposes and maximizing the Internet-connection capability (i.e., bandwidth) of the organization, particularly during peak usage times. For example, using streaming audio and video services at peak times of the day in terms of the network traffic of an organization can seriously diminish productivity of other users within the organization who are attempting to perform tasks such as e-mail file transfers, terminal emulations, and network database inquiries.
Using traditional approaches, organizations apply stringent rules and sometimes overbearing management dicta in order to prevent key business usage of the Internet from being adversely affected by casual or inappropriate usage. The traditional approaches are typically administratively difficult to set up and maintain, as well as being difficult to scale from small organizations to large enterprises. Thus, some of the productivity gains are negated by management overhead.
One traditional approach to providing access control with regard to resource requests generated within a network is to leverage firewall technology and focus on the well-known packet filtering techniques. This typically requires a computer system to be installed as a router with at least two network interface cards and with no data packets being allowed to be forwarded from one interface card to the other without prior filtering. That is, firewall technology has been “turned around” to form some degree of protection. Rather than controlling outsiders attempting to access resources of the network, the techniques are used to control insiders attempting to access external resources. This approach may work well in some applications, but in others the approach is too simplistic and inflexible.
U.S. Pat. No. 5,727,146 to Savoldi et al. describes a method for securing network access to a network. All data packets that are transmitted via the network are monitored for authorized source addresses, rather than examining only the initial network connection packets. Thus, network access to a port is secured by monitoring the source address of each packet that is sent as a device tries to train to the port of the network. If the source address matches an authorized source address assigned to the port to which the device is attached, the device is allowed access to the system. However, if the device attempts to train with a source address different from the authorized source address, all packets sent by the device are denoted as errored packets to prevent them from being accepted by any other device in the network. By monitoring all packets, the system detects occurrences in which a device attempts to “disguise” itself by first training with an authorized source address and then sending a packet with an unauthorized source address.
Another approach to implementing network access control is to add third-party software modules into commercially available proxy server products. For example, software modules that are dedicated to attempting to control access may be added to a web proxy server. The disadvantages of this approach include the fact that only a small subset of Internet protocols is actually routed through a web proxy server. These protocols are typically restricted to browser-based FTP, Gopher and WWW protocols. This subset of protocols does not include the protocols used in the transfer of packets for e-mail, telnet, other file transfers, and streaming audio and video. Therefore, using web proxy servers as choke points allows only an incomplete level of control.
Another approach to attempting control access is to establish “blacklists” or “control lists” into proxy servers or into individual client workstations. This is a somewhat simplistic approach to meeting the needs of organizations and is often administratively burdensome to corporations, since the lists must be updated on a regular basis.
What is needed is a method and system for providing access control to resources of a network in a manner that is flexible, scalable and relatively easy to administer.
A method and system in accordance with the invention are configured to provide access control to resources of a network by collecting and assembling data packets of a specific transmission, so as to enable identification of information from raw data packets at the lowest level to application-level data at the top-most level. In terms of the standardized model referred to as the International Standards Organization (ISO) model, the data packets are assembled to determine not only the lower-layer information from the headers of the packets, but also the uppermost Application Layer (i.e., Layer 7) contextual information. Access rules are then applied to determine whether the specific transmission is a restricted transmission.
In the preferred embodiment, the steps of receiving and assembling the data packets occur non-intrusively with respect to impact on traffic flow through the network. That is, the data packets are intercepted without impact on network performance, unless a restricted transmission is detected. Receiving and assembling the data packets may occur at a workstation or server that is dedicated to providing access control. For example, a free-standing workstation may be connected as a node to the network and may be switched to a promiscuous mode in order to receive all data packets transmitted to or from other nodes of the network. This allows the workstation to receive the fragments (i.e., data packets) of each access attempt from elsewhere on the network to either external destinations or other internal destinations. The fragments are pieced together to identify ISO Layer 7 information, as well as lower layer information. In an e-mail context, the Application Layer information of interest may include the information contained within the “to,” “from” and “subject” lines of e-mail messages. In a web context, the Application Layer information of interest may include the text of the HTML pages.
By placing the dedicated workstation or server outside of the direct paths from source nodes to destination nodes, the impact on network traffic is minimal. However, the method and system may also be implemented by examination and management at a choke point, such as a proprietary proxy server, a firewall or other network node that is acting as a gateway between the network and an external network (e.g., the Internet). The examination and management at a choke point may take the form of a plug-in module for receiving, assembling and examining data packets in the manner described above. However, the examination of access attempts at the choke point will not provide the level of access control available by monitoring all traffic within the network, and may well impact network performance. Therefore, the system may include both access monitoring at the choke point and non-intrusive monitoring elsewhere on the network.
In the approach in which access is examined non-intrusively, the dedicated workstation or server may be configured as a “bare-bones” TCP/IP virtual machine to establish a capability of providing information extending from the lower layers of the ISO model to the Application Layer. There may be more than one dedicated workstation or server, particularly if the network is divided into segments. The access rules are preferably stored as a rules base, which may be centralized if there is more than one node that provides access management. Alternatively, the rules base is configured at a single site, but then automatically distributed to each access control point on the network.
The access control rules may apply at the time that a connection is established or may depend upon application protocol data following a successful connection. In the preferred embodiment, the rules are applied both at the time of connection and subsequent to the connection, as data packets are assembled. If a node-to-node transmission is determined to be a transmission that is restricted by the rules base, a connection attempt may be denied, a previously established connection may be broken, a simple logging may occur, or a combination of these actions may be implemented. Data collected during the connection attempts or during a connection's lifetime may be passed to third-party software in order for independent validation to occur. However, this is not critical.
The rules base is preferably divided into two sets of rules. The first set relates to access management requirements with regard to outgoing connection attempts, while the second set relates to internal connection attempts. The rules within each set may be layered in order to allow seemingly inconsistent rules to be included in a single rules base. For example, rules within a particular set may be applied sequentially, so that a specific rule application is accessed prior to a general rule application that contradicts the specific rule. The rules base is preferably configured in terms that are familiar to users, such as usernames, group names, workstation identifiers, destination addresses and URLs, services required, time-of-day, day-of-week, and data size.
An advantage of the invention within a business environment is that the method and system protect employee productivity by ensuring that Internet access is used primarily for business purposes. Another advantage is that the bandwidth availability is used more efficiently. Access may be dynamically controlled based upon factors such as the time of day and the day of the week. Another advantage is that internal security is enhanced by ensuring that access to internal computer resources is managed.
FIG. 1 is an exemplary topology of a network that utilizes access control management in accordance with the invention.
FIG. 2 is a block diagram of an exemplary network topology having more than one node that establishes access control in accordance with the invention.
FIG. 3 is a prior art schematic diagram of an Ethernet data packet.
FIG. 4 is a schematic view of the seven-layer ISO model and the source layers that are utilized by the invention.
FIG. 5 is a view of a graphical user interface (GUI) in accordance with one embodiment of rules configurations.
FIG. 6 is a block diagram of one embodiment of an access control device in accordance with the invention.
FIG. 7 is a process flow of steps for operating the device of FIG. 6.
With reference to FIG. 1, an exemplary network is shown as including a router 10 that provides access to the global communication network referred to as the Internet 14 for an organization that is protected from unwanted intruders by a firewall 16. A number of conventional user workstations 18, 20 and 22 are included as nodes of the network. A fourth workstation 24 may be identical to the other workstations, but is dedicated to providing access control management. Thus, the workstation 24 is an access control management console (ACMC). However, one of the other workstations may be used to implement the access rules in a manner that is consistent with the non-intrusive management system to be described below. The workstation 24 may be a conventional desktop computer having a plug-in access management module 26 to monitor traffic within the network.
Another node within the network is a proprietary proxy server 28 that is used in a conventional manner to enable selected services, such as web services. A web proxy server is designed to enable performance improvements by caching frequently accessed web pages. While such servers tend to add some access control potential by taking advantage of the fact that all HTTP conversions are being channeled through the service, the access control functionality is not a primary focus and only a subset of the protocols that are likely to be encountered via the Internet will be recognized by conventional web proxy servers. For example, the proxy server 28 may provide proxying capability for the HTTP protocol and perhaps browser-based FTP and Gopher, but the proxying capability is not likely to extend to other TCP/IP application protocols, such as telnet, news, e-mail and many proprietary multimedia protocols.
The network topology of FIG. 1 is shown as an exemplary configuration and is not meant to limit or constrain the description of the invention. The method and system to be described below can operate on a wide variety of network configurations. Moreover, while all workstations 18-24 can be presumed to be running the Microsoft Windows operating system and all servers 28 can be assumed to be running the Microsoft Windows NT Server operating system, the invention is not specific to any one operating system. Although the prime use of the method is anticipated as being applied to networks using the TCP/IP protocols, it can be readily adapted to function with any other set of networking protocols, such as Novell IPX/SPX or IBM NetBEUI.
It is also assumed that the network for which access management is to be provided includes a number of users, groups of users and workstation addresses. All of these items are assumed to have been pre-configured using known configuration methods provided by the supplier of the network operating system. Although implementation of the invention may be based on data such as usernames and group names from a network operating system or similar repository, there is no dependency on a specific network operating system or a specific mechanism to access such data. Employing usernames and group names that are consistent with other system operations takes advantage of any familiarity that may already exist with this information. Furthermore, in the absence of any such information, the invention may utilize other naming nomenclature, such as IP or Ethernet addresses.
Referring now to FIG. 2, a first access control module 30 has been installed on the workstation 18 to enable the workstation to function as a passive access control station (PACS). A second instance of an access control module 32 is installed on the proxy server 28, so that this node functions as a proxy access control station (PRACS). Moreover, a third instance of an access control module 34 is installed on the firewall 16 in order to form a gateway access control station (GACS). A key point in the system and method is that the individual workstations 20 and 22 that are accessed by users can be managed without installing any software components specifically on those workstations. Network traffic is monitored and access to internal and external resources is controlled and managed either at choke points (represented by the proxy server 28 and the firewall 16) and/or non-intrusively at nodes which are not choke points (represented by the workstation 18). The access control modules 30, 32 and 34 can be installed, de-installed, and reinstalled on any of the nodes of the network at any time to suit potentially changing network topologies or changing access management policies.
The location and configuration of each of the access control modules 30, 32 and 34 are selected by an installer based upon pragmatic factors in order to achieve a level of access control that is consistent with the access management policy. As previously noted, the first access control module 30 is not required, since the workstation 24 may serve the dual purpose of allowing a system operator to configure the rules base of access rules and non-intrusively monitoring traffic along the network. The second access control module 32 is optionally used in order to ensure that access is managed for all users who are accessing the WWW by configuring web browsers to operate via the proxy server 28. The third access control module 34 is optionally installed at the firewall 16 in order to validate that both the firewall and the other access control modules have indeed been configured correctly and are performing their desired duties. Firewalls are sometimes difficult to configure, so organizations are increasingly adding second-line checks to their networks to ensure that absolute integrity is being maintained. However, the non-intrusive monitoring at the dedicated workstation 18 is capable of monitoring and controlling all access from all nodes on the network, regardless of TCP/IP protocol. This mechanism can be used to manage all network access that is not routed via the proxy server 28 with a high degree of probability that undesired access can indeed be blocked. Network traffic is non-intrusively monitored, but the system and method may be used to proactively block any requests for resources.
The non-intrusive monitoring of network traffic at the workstation 18 occurs by receiving and assembling data packets of node-to-node transmissions. Modern networks, including the Internet, are packet switching networks in which a transmission is separated into data packets which are separately transmitted to a destination node. At the destination node, the packets are assembled to form the original composite signal. FIG. 3 depicts an Ethernet data packet according to RFC base 894. Traffic along the network of FIGS. 1 and 2 may be in the form of transmissions of Ethernet packets. Each Ethernet packet 36 includes five segments. A first 6-byte segment 38 identifies the destination node address, while a second 6-byte segment 40 identifies the address of the source node. The third segment 42 is a 2-byte segment that identifies the protocol type. A data field 44 has a variable length, with a maximum of 1500 bytes. The data field 44 contains the user information. Finally, the fifth segment 46 is a checksum field that is used for error detection and correction purposes.
As is well known in the art, other standards for packetization are utilized. For example, each header that is used in a TCP transmission or a UDP (User Datagram Protocol) transmission includes a 16-bit destination port number. An Ethernet packet having a TCP/IP packet or UDP/IP packet embedded in its data field will include three designations: (1) the Ethernet addresses of the source and destination nodes; (2) the IP addresses of the source and destination nodes; and (3) the IP port number of the destination node. Other protocols are present and operational in TCP/IP networks and control operations such as routing and the translation of IP addresses to and from hostnames. A protocol referred to as ARP (Address Resolution Protocol) also maps IP addresses to Ethernet addresses.
By intercepting the Ethernet packet 36 of FIG. 3, the destination address, the source address and the user data are available to the monitoring node. For the non-intrusive monitoring that occurs at the workstation 18 of FIG. 2, the workstation may be placed in the promiscuous mode and there will be no impact on performance of the network. However, the packets that are specific to a particular node-to-node transmission can be collected and assembled merely by configuring the access control module 30 such that the workstation functions as a bare-bones TCP/IP protocol virtual machine. The workstation then has the capability of piecing together the fragments of a multi-packet signal. This enables access management control to base decisions upon information from various levels of the ISO model—from the lower layers to the uppermost Application Layer.
Communications protocols are a layered set, often referred to as a “stack.” The International Standards Organization (ISO) has developed a model referred to as the ISO 7-layer model, which serves as a basic reference. Each layer represents a particular function. The function of a particular layer may be executed in hardware or software or a combination of hardware and software. At times, a single program performs the functions of more than one layer. FIG. 4 illustrates the seven layers of the ISO model. The lowermost layer, referred to as the Physical Layer 50, is the hardware network connection, such as a physical wire. ISO Layer 2, the Data Link Layer 52, is responsible for providing reliable transmissions of data. Layer 2 may be a network interface card that links a computer to the network.
ISO Layer 3, the Network Layer 54, is the network software for routing packets throughout the network. ISO Layer 4, the Transport Layer 56, transports data from the network to the upper levels of the ISO model.
ISO Layer 5, the Session Layer 58, deals with establishing network sessions. Logical connections are established based upon a request of a user. ISO Layer 6, the Presentation Layer 60, deals with the presentation of data to an application which resides at ISO Layer 7, the Application Layer 62. Examples of the Application Layer include FTP, HTTP and SMTP. Layer 7 provides access to the Internet for a user.
FIG. 4 illustrates three inputs to a step 64 of storing data packets. The first input 66 represents the actual input of data packets, while the second and third inputs 68 and 70 are operational representations. Referring to FIGS. 2 and 4, the workstation 18 that non-intrusively monitors network traffic receives inbound and outbound data packets through Layers 1 and 2. As previously noted, the network interface card of Layer 2 is set to the promiscuous mode, so that the data packets of the network are received over the Physical Layer 50. Optionally, the rules base of the access management module 26 may be utilized more than one time. In a first application of the rules base, the first packet of a resource request may be used to detect the source and destination nodes, allowing access determinations to be based on this low-level information. However, higher level decisions can be formed only after a connection has been established and the actual content has begun to flow over that connection. This is in contrast to conventional operations of firewalls, which typically only act as low-level packet filters (i.e., at ISO Layer 2).
As indicated by the input 68, the invention includes assembling the data packets to detect information at the Transport Layer 56 and the Network Layer 54 of the ISO model. Moreover, Layer 7 information is acquired by assembling the data packets, as represented by the input 70. For example, in an e-mail environment, the Application Layer information that may be relevant to application of the rules base may include information within the “subject” line of an e-mail message. This information is acquired only upon accessing the data fields of the data packets of the e-mail message. At step 66, the necessary information has been acquired for applying the rules base. As previously noted, the application may occur more than once for a single multi-packet transmission. The desirability of providing single or multiple rules applications may depend upon a number of factors.
Referring now to FIG. 5, an embodiment of a graphical user interface (GUI) 68 is shown for use by a system operator to configure the rules base that determines the action of the access control modules 30, 32 and 34 of FIG. 2. The action of each access control module is determined by rules configured at the ACMC 24, which includes the access management module 26. The management module presents the GUI 68, although this is not critical to the invention.
In the preferred embodiment, the rules base is comprised of a twin set of ordered rules. One of the sets of rules relates to access management requirements for outgoing access, while the second set relates to inbound connection attempts. Within each set, the rules are in a sequence that dictates the sequence in which the rules are considered. This sequencing ensures that rules are applied in a specific deterministic order, allowing the system operator to layer more specific rules ahead of more general rules. Thus, seemingly inconsistent rules can be established. For example, a rule may be configured to give User A access to a certain resource ahead of a rule banning everyone in the organization from accessing that resource. This has the effect of allowing access by User A and blocking access to that resource by all other users.
After a rules base has been configured by a system operator, the rules base is downloaded to the access control modules 30, 32 and 34. Thus, any subsequent changes in the rules base may be implemented at the various nodes in an efficient dynamic manner.
Regarding the configuration of the rules, various objects may be utilized to provide a more granular or less granular rule. Affected parties may be designated by usernames and group names (both typically from the network operating system), ad hoc groupings of users, and workstation addresses. Other objects include network services, source addresses (IP address, hostname or URL), destination addresses (IP address, hostname or URL) and time-slot specifiers (time of day, day of week, etc.). These objects are graphically dragged and dropped onto each rule, as required in order to dynamically and graphically build up the rule within the overall rules base. Against each rule, an action is configured to specify the resulting action that should be performed if a rule is matched at runtime. Potential actions include (1) disallowing the connection attempt, (2) allowing the connection attempt to be completed, (3) passing off the decision-making on whether the connection should be allowed or disallowed to a third-party component (which may, for example, consult a control list or perform other checks), (4) allowing the connection, but performing further analysis on the data stream in order to determine whether a connection should be broken at some future point (e.g., based upon the number of bytes that are transferred), and (5) performing further collection of the data stream and passing off the collection to a third-party component for further analysis (e.g., an anti-virus product).
Rules can be amended, deleted or reordered using the graphical user interface 68 of FIG. 5. The rules base is stored in an internal format that is then made available to the various access control modules 30, 32 and 34, as described above.
The graphical user interface 68 is divided into two portions. The lower portion 70 is used to define network objects, such as usernames, groups, workstations and other such entities mentioned above. This information is built up by the system operator, but as much information as possible is gleaned from the network operating system. Typically, all usernames, group names and workstation addresses are established via reference to the network operating system. It is also possible to form ad hoc groupings for ease of use, such as groupings of users that are not configured or that are configured differently in the network operating system. Object-oriented technology simplifies the definition process by allowing operational parameters to be defined for object classes, rather than each individual network element. It is thus possible to perform access control at a detailed level of controlling individual user access and at a more general level of network groups of users or ad hoc groupings of users. This allows the operator to have flexibility in the access management task. It is thus possible to allow different access control criteria to different levels of employees and managers.
Other objects that are defined in the lower portion 70 of the GUI 68 are services, such as e-mail, file transfer, WWW and any of the other possible sets of services allowed in a TCP/IP network. Specific properties of a service include its name and its TCP/IP port number. Certain well-known services are pre-configured for the operator. For example, it is known that the telnet service should be pre-configured on port 23. Any services may, however, be added or modified by the operator.
The upper portion 72 of the GUI 68 contains the rules. The total set of rules is referred to as the rules base. Rules are constructed graphically by the operator by dragging objects from the lower portion 70 and dropping them into specific rules of the upper portion 70. Rule ordering is important and can be changed graphically by dragging a rule to a new position in the sequence. When rules are consulted at runtime, a top-down ordering is implemented. As previously noted, two sets of rules are maintained, one relating to outbound communications and the other relating to inbound communications.
In the preferred embodiment, storage logs are maintained for transaction data. The storage logs may be maintained for all of the transaction data or subsets of the data. The storage logs may then be used for further analysis by built-in or third-party components. However, this is not critical to the invention.
FIG. 6 is an exemplary arrangement of hardware and software for implementing the network access control system and method. A Passive Access Control Station, such as the workstation 18 of FIG. 2, includes an input port 74 that is placed in a mode to receive all data packets destined for any node on the network. The data packets that are specific to a particular node-to-node transmission are combined at a packet assembler 76. Detailed information from the assembled data packets is stored until sufficient information is acquired regarding the node-to-node transmission to apply the previously configured rules base 70. The process of applying the rules base to the acquired information may occur in a single step or may be a multi-step process. For example, in FIG. 6 there is a state identifier 80 and a context identifier 82. The state identifier is used to determine information regarding the lower layers of the ISO model, while the context identifier 82 acquires higher layer information, including Application Layer information. The rules base 78 may be consulted a first time when the state identifier 80 has acquired sufficient information, and then applied a second time when the context identifier 82 has acquired sufficient higher level information.
It is important to note that information which is stored includes both low level state information and contextual information that is discovered at points in the network stack other than Layers 1 and 2. Full Application Layer awareness is achieved without the need to implement specific application proxies for each service. The two parts of the proxy process are linked in order to accommodate the possibility that proxy connections are being made, since the real source node and the final destination node must be identified to ensure that the correct rule is applied in managing network access.
If it is determined that a particular node-to-node transmission is unrestricted, the transmission is unaffected by the process. Optionally, data regarding the transmission may be stored within a log 84. However, if the transmission is a restricted transmission, any one of a number of actions may be initiated by a connection controller 86. When the connection from a source node to a destination node has not been completed, the connection controller may generate a signal that is output via the output port 88 to an appropriate node (e.g., a router) for preventing the connection. For situations in which the connection is established, the controller 86 may generate a signal that disables the connection. As a third alternative, the connection may be allowed, but further analysis of the data stream may be performed in order to ascertain whether the connection should be disabled at some future time (e.g., based upon the number of bytes that are transferred during the connection). The decision of whether to allow or disallow the connection may be passed to another node, such as a third-party component which consults a control list or performs other checks.
FIG. 7 details the steps of providing access control in accordance with the invention. In step 90, network traffic is monitored non-intrusively, such as by the workstation 18 of FIG. 2. Packets that are specific to a particular communication (i.e., node-to-node transmission) are identified in step 92 and assembled in step 94. Decision step 96 determines whether sufficient information has been acquired to apply the rules of the rules base.
When sufficient information has been acquired to apply the rules base, the first rule is consulted to determine if the packet information set matches the rule. As previously noted, the rules base is organized into a first set of outbound-related rules and a second set of inbound-related rules. Moreover, the rules in a particular set are consulted in a top-down order. Thus, the rule that is applied in step 98 is the first rule in the appropriate set of rules. At step 100, a decision is made as to whether the information set fits the rule applied in step 98. If a rule fit is recognized, the appropriate rule action is applied at step 102. The appropriate rule action may be designated within the rules base. If the rule is affirmatively stated (e.g., “allow all HTTP connections”), the action will allow the connection to remain unhindered. Other prescribed actions may include logging information to a database, sending an e-mail message, raising an alert in a pre-established manner, or diverting the data content of the connection to a third-party process which can determine whether the connection should be maintained by referencing other data, such as anti-virus rules or one or more control lists.
If in the decision step 100 it is determined that the first rule is not applicable, decision step 104 determines whether there is another applicable rule. If there are fifteen rules within the set of rules that are applicable to the communication under consideration, steps 98, 100 and 104 will be repeated fifteen times or until the information set matches one of the rules.
Preferably, there is a default rule at the end of each set of rules in the rules base. Referring briefly to FIG. 5, the GUI 68 shows six rules in its set of outgoing rules in the upper portion 72 of the GUI. The sixth and final rule to be applied is the default rule that disallows outgoing communications that are not specifically allowed within the set. Alternatively, the default rule may be to allow the communication.
After all of the appropriate rules have been applied, the optional decision step 106 is executed. The access rules of the rules base are pre-parsed to identify which rules can be applied at the basic connection time and which rules need to be held-over for application once the connection is completed and data is flowing. If, for a particular node-to-node transmission, it is determined that no rules need to be held-over, the default rule can be applied at connection time, assuming that there is no prior rule that provides an affirmative response at step 100. However, if access rules need to be applied once data is flowing, the default rule is applied with the held-over rules. Thus, when there are access rules that relate to data flow, the connection is allowed to be completed, unless it is determined at step 100 that the connection is a restricted one. If it is determined at step 106 that rules have been held-over, the packets continue to be assembled at step 94 and the process repeats itself in order to apply the held-over rules. On the other hand, if there are no held-over rules, the process returns to the step 92 of identifying packets of a specific communication. However, the implementation, and even existence, of step 106 is not critical to the invention.
It is worth noting that various changes and modifications can be made to the above examples to achieve the same results, while remaining within the scope of the method and system. For example, access management control can be performed on a generic gateway machine, as opposed to a firewall, a proxy server or a passive workstation.
|Cited Patent||Filing date||Publication date||Applicant||Title|
|US5720033||25 Jul 1995||17 Feb 1998||Lucent Technologies Inc.||Security platform and method using object oriented rules for computer-based systems using UNIX-line operating systems|
|US5727146||4 Jun 1996||10 Mar 1998||Hewlett-Packard Company||Source address security for both training and non-training packets|
|US5742759||18 Aug 1995||21 Apr 1998||Sun Microsystems, Inc.||Method and system for facilitating access control to system resources in a distributed computer system|
|US5826014 *||6 Feb 1996||20 Oct 1998||Network Engineering Software||Firewall system for protecting network elements connected to a public network|
|US5835722||27 Jun 1996||10 Nov 1998||Logon Data Corporation||System to control content and prohibit certain interactive attempts by a person using a personal computer|
|US5884033||15 May 1996||16 Mar 1999||Spyglass, Inc.||Internet filtering system for filtering data transferred over the internet utilizing immediate and deferred filtering actions|
|US5889958 *||20 Dec 1996||30 Mar 1999||Livingston Enterprises, Inc.||Network access control system and process|
|US6061798 *||19 Oct 1998||9 May 2000||Network Engineering Software, Inc.||Firewall system for protecting network elements connected to a public network|
|Citing Patent||Filing date||Publication date||Applicant||Title|
|US6424992 *||8 Oct 1997||23 Jul 2002||International Business Machines Corporation||Affinity-based router and routing method|
|US6460074 *||10 Feb 2000||1 Oct 2002||Martin E. Fishkin||Electronic mail system|
|US6519703 *||14 Apr 2000||11 Feb 2003||James B. Joyce||Methods and apparatus for heuristic firewall|
|US6578081 *||12 Aug 1999||10 Jun 2003||Fujitsu Limited||Security system for electronic information sharing|
|US6606710||24 Jun 2002||12 Aug 2003||Lucent Technologies Inc.||Adaptive re-ordering of data packet filter rules|
|US6658587 *||10 Jan 2000||2 Dec 2003||Sun Microsystems, Inc.||Emulation of persistent group reservations|
|US6742039 *||20 Dec 1999||25 May 2004||Intel Corporation||System and method for connecting to a device on a protected network|
|US6754896||4 Oct 2002||22 Jun 2004||Microsoft Corporation||Method and system for on-demand installation of software implementations|
|US6757836||10 Jan 2000||29 Jun 2004||Sun Microsystems, Inc.||Method and apparatus for resolving partial connectivity in a clustered computing system|
|US6769008||10 Jan 2000||27 Jul 2004||Sun Microsystems, Inc.||Method and apparatus for dynamically altering configurations of clustered computer systems|
|US6789213||10 Jan 2000||7 Sep 2004||Sun Microsystems, Inc.||Controlled take over of services by remaining nodes of clustered computing system|
|US6816455 *||9 May 2001||9 Nov 2004||Telecom Italia S.P.A.||Dynamic packet filter utilizing session tracking|
|US6836794 *||21 Sep 1998||28 Dec 2004||Microsoft Corporation||Method and system for assigning and publishing applications|
|US6862613||10 Jan 2000||1 Mar 2005||Sun Microsystems, Inc.||Method and apparatus for managing operations of clustered computer systems|
|US6873988 *||9 Jul 2002||29 Mar 2005||Check Point Software Technologies, Inc.||System and methods providing anti-virus cooperative enforcement|
|US6880005 *||31 Mar 2000||12 Apr 2005||Intel Corporation||Managing policy rules in a network|
|US6930978||6 Jun 2001||16 Aug 2005||Deep Nines, Inc.||System and method for traffic management control in a data transmission network|
|US6931441 *||29 Jun 2001||16 Aug 2005||Cisco Technology, Inc.||Method and apparatus for managing a network using link state information|
|US6981256 *||10 Sep 2001||27 Dec 2005||Aspect Software, Inc.||Methods and apparatus for enabling dynamic resource collaboration|
|US6990527 *||1 Mar 2001||24 Jan 2006||Spicer Corporation||Network resource access system|
|US7007093 *||1 Mar 2001||28 Feb 2006||Spicer Corporation||Network resource control system|
|US7054944 *||19 Dec 2001||30 May 2006||Intel Corporation||Access control management system utilizing network and application layer access control lists|
|US7058976||17 May 2000||6 Jun 2006||Deep Nines, Inc.||Intelligent feedback loop process control system|
|US7076801 *||11 Jun 2001||11 Jul 2006||Research Triangle Institute||Intrusion tolerant server system|
|US7096495 *||31 Mar 2000||22 Aug 2006||Intel Corporation||Network session management|
|US7099940 *||7 Aug 2001||29 Aug 2006||Amdocs (Israel) Ltd.||System, method and computer program product for processing network accounting information|
|US7136913 *||9 Jul 2001||14 Nov 2006||Lab 7 Networks, Inc.||Object oriented communication among platform independent systems across a firewall over the internet using HTTP-SOAP|
|US7152103 *||10 Jan 2001||19 Dec 2006||Nortel Networks Limited||Lawful communication interception—intercepting communication associated information|
|US7203741 *||19 Mar 2001||10 Apr 2007||Peerapp Ltd.||Method and system for accelerating receipt of data in a client-to-client network|
|US7209962 *||30 Jul 2001||24 Apr 2007||International Business Machines Corporation||System and method for IP packet filtering based on non-IP packet traffic attributes|
|US7228337||11 Sep 2001||5 Jun 2007||Cisco Technology, Inc.||Methods and apparatus for providing a network service to a virtual machine|
|US7249188 *||16 Dec 2005||24 Jul 2007||Spicer Corporation||Network resource control system|
|US7266602 *||24 May 2006||4 Sep 2007||Amdocs (Israel) Ltd.||System, method and computer program product for processing accounting information|
|US7278162||1 Apr 2003||2 Oct 2007||International Business Machines Corporation||Use of a programmable network processor to observe a flow of packets|
|US7305708 *||8 Mar 2004||4 Dec 2007||Sourcefire, Inc.||Methods and systems for intrusion detection|
|US7325053 *||28 Aug 2006||29 Jan 2008||Lab 7 Networks, Inc.||Object oriented communication among platform-independent systems over networks using SOAP|
|US7376965 *||14 May 2001||20 May 2008||Hewlett-Packard Development Company, L.P.||System and method for implementing a bubble policy to achieve host and network security|
|US7380272||20 Feb 2002||27 May 2008||Deep Nines Incorporated||System and method for detecting and eliminating IP spoofing in a data transmission network|
|US7383579 *||21 Aug 2002||3 Jun 2008||At&T Delaware Intellectual Property, Inc.||Systems and methods for determining anti-virus protection status|
|US7386889 *||18 Nov 2002||10 Jun 2008||Trusted Network Technologies, Inc.||System and method for intrusion prevention in a communications network|
|US7441262 *||11 Jul 2002||21 Oct 2008||Seaway Networks Inc.||Integrated VPN/firewall system|
|US7496962||29 Sep 2004||24 Feb 2009||Sourcefire, Inc.||Intrusion detection strategies for hypertext transport protocol|
|US7509673 *||6 Jun 2003||24 Mar 2009||Microsoft Corporation||Multi-layered firewall architecture|
|US7539681||26 Jul 2004||26 May 2009||Sourcefire, Inc.||Methods and systems for multi-pattern searching|
|US7549159||5 May 2005||16 Jun 2009||Liquidware Labs, Inc.||System, apparatuses, methods and computer-readable media for determining the security status of a computer before establishing connection thereto|
|US7552323||19 Aug 2003||23 Jun 2009||Liquidware Labs, Inc.||System, apparatuses, methods, and computer-readable media using identification data in packet communications|
|US7562304||26 Jan 2006||14 Jul 2009||Mcafee, Inc.||Indicating website reputations during website manipulation of user information|
|US7565687 *||31 May 2002||21 Jul 2009||International Business Machines Corporation||Transmission control system, server, terminal station, transmission control method, program and storage medium|
|US7590716||28 Sep 2004||15 Sep 2009||Websense Uk Limited||System, method and apparatus for use in monitoring or controlling internet access|
|US7591001||5 May 2005||15 Sep 2009||Liquidware Labs, Inc.||System, apparatuses, methods and computer-readable media for determining the security status of a computer before establishing a network connection|
|US7602785||9 Feb 2005||13 Oct 2009||Washington University||Method and system for performing longest prefix matching for network address lookup using bloom filters|
|US7631061||13 Dec 2004||8 Dec 2009||Microsoft Corporation||Method and system for assigning and publishing applications|
|US7631349 *||11 Jan 2001||8 Dec 2009||Digi International Inc.||Method and apparatus for firewall traversal|
|US7647403 *||29 Nov 2000||12 Jan 2010||British Telecommunications Public Limited Company||Method for processing a request for access to a data network|
|US7650420||18 Jun 2008||19 Jan 2010||The Directv Group, Inc.||System and method for content filtering|
|US7660980||23 Mar 2007||9 Feb 2010||Liquidware Labs, Inc.||Establishing secure TCP/IP communications using embedded IDs|
|US7701945||10 Aug 2006||20 Apr 2010||Sourcefire, Inc.||Device, system and method for analysis of segments in a transmission control protocol (TCP) session|
|US7707636 *||3 Jun 2008||27 Apr 2010||At&T Intellectual Property I, L.P.||Systems and methods for determining anti-virus protection status|
|US7711790 *||20 Sep 2000||4 May 2010||Foundry Networks, Inc.||Securing an accessible computer system|
|US7716330||19 Oct 2001||11 May 2010||Global Velocity, Inc.||System and method for controlling transmission of data packets over an information network|
|US7716742||12 May 2004||11 May 2010||Sourcefire, Inc.||Systems and methods for determining characteristics of a network and analyzing vulnerabilities|
|US7724678 *||14 Jun 2006||25 May 2010||Oracle America, Inc.||Method and apparatus for testing a communication link|
|US7725558 *||26 Jul 2001||25 May 2010||David Dickenson||Distributive access controller|
|US7725587 *||29 Jun 2001||25 May 2010||Aol Llc||Deep packet scan hacker identification|
|US7730137||22 Dec 2003||1 Jun 2010||Aol Inc.||Restricting the volume of outbound electronic messages originated by a single entity|
|US7730175||12 May 2004||1 Jun 2010||Sourcefire, Inc.||Systems and methods for identifying the services of a network|
|US7733803||14 Nov 2005||8 Jun 2010||Sourcefire, Inc.||Systems and methods for modifying network map attributes|
|US7734756 *||25 Oct 2007||8 Jun 2010||Ganas, Llc||Object oriented communication among platform independent systems over networks using soap|
|US7743144 *||3 Nov 2003||22 Jun 2010||Foundry Networks, Inc.||Securing an access provider|
|US7752659||14 Feb 2005||6 Jul 2010||Lenovo (Singapore) Pte. Ltd.||Packet filtering in a NIC to control antidote loading|
|US7756885||19 Apr 2007||13 Jul 2010||Sourcefire, Inc.||Methods and systems for multi-pattern searching|
|US7765481||26 Jan 2006||27 Jul 2010||Mcafee, Inc.||Indicating website reputations during an electronic commerce transaction|
|US7765593 *||24 Jun 2004||27 Jul 2010||Mcafee, Inc.||Rule set-based system and method for advanced virus protection|
|US7769851||27 Jan 2005||3 Aug 2010||Juniper Networks, Inc.||Application-layer monitoring and profiling network traffic|
|US7788329||12 Jan 2006||31 Aug 2010||Aol Inc.||Throttling electronic communications from one or more senders|
|US7797411||2 Feb 2005||14 Sep 2010||Juniper Networks, Inc.||Detection and prevention of encapsulated network attacks using an intermediate device|
|US7801980||12 May 2004||21 Sep 2010||Sourcefire, Inc.||Systems and methods for determining characteristics of a network|
|US7809758||13 May 2005||5 Oct 2010||Websense Uk Limited||Database and method of generating same|
|US7809826||27 Jan 2005||5 Oct 2010||Juniper Networks, Inc.||Remote aggregation of network traffic profiling data|
|US7810151 *||27 Jan 2005||5 Oct 2010||Juniper Networks, Inc.||Automated change detection within a network environment|
|US7818794||9 Jun 2003||19 Oct 2010||Thomson Licensing||Data traffic filtering indicator|
|US7822620||26 Jan 2006||26 Oct 2010||Mcafee, Inc.||Determining website reputations using automatic testing|
|US7823194||13 Aug 2003||26 Oct 2010||Liquidware Labs, Inc.||System and methods for identification and tracking of user and/or source initiating communication in a computer network|
|US7827293 *||1 Mar 2001||2 Nov 2010||Printeron Inc.||Secure network resource access system|
|US7827601||15 Nov 2008||2 Nov 2010||Digi International Inc.||Method and apparatus for firewall traversal|
|US7831728 *||1 Nov 2006||9 Nov 2010||Citrix Systems, Inc.||Methods and systems for real-time seeking during real-time playback of a presentation layer protocol data stream|
|US7865945||23 May 2008||4 Jan 2011||Sharp Clifford F||System and method for detecting and eliminating IP spoofing in a data transmission network|
|US7885190||12 May 2004||8 Feb 2011||Sourcefire, Inc.||Systems and methods for determining characteristics of a network based on flow analysis|
|US7890642||16 Sep 2004||15 Feb 2011||Websense Uk Limited||Device internet resource access filtering system and method|
|US7900240 *||28 May 2004||1 Mar 2011||Citrix Systems, Inc.||Multilayer access control security system|
|US7937755 *||27 Jan 2005||3 May 2011||Juniper Networks, Inc.||Identification of network policy violations|
|US7948988||27 Jul 2006||24 May 2011||Sourcefire, Inc.||Device, system and method for analysis of fragments in a fragment train|
|US7949732||12 May 2004||24 May 2011||Sourcefire, Inc.||Systems and methods for determining characteristics of a network and enforcing policy|
|US7953791 *||10 Apr 2008||31 May 2011||The Nielsen Company (Us), Llc.||Network resource monitoring and measurement system and method|
|US7970886 *||2 Nov 2000||28 Jun 2011||Arbor Networks, Inc.||Detecting and preventing undesirable network traffic from being sourced out of a network domain|
|US7991899 *||11 Sep 2007||2 Aug 2011||Morgan Stanley||Systems and methods for establishing rules for communication with a host|
|US7996424||31 Jan 2008||9 Aug 2011||Sourcefire, Inc.||Methods and systems for multi-pattern searching|
|US8001244||12 Apr 2010||16 Aug 2011||Aol Inc.||Deep packet scan hacker identification|
|US8024471 *||28 Sep 2004||20 Sep 2011||Websense Uk Limited||System, method and apparatus for use in monitoring or controlling internet access|
|US8046833||14 Nov 2005||25 Oct 2011||Sourcefire, Inc.||Intrusion event correlation with network discovery information|
|US8069352||28 Feb 2007||29 Nov 2011||Sourcefire, Inc.||Device, system and method for timestamp analysis of segments in a transmission control protocol (TCP) session|
|US8077708||1 Nov 2006||13 Dec 2011||Techguard Security, Llc||Systems and methods for determining a flow of data|
|US8082353||20 Dec 2011||At&T Mobility Ii Llc||Reciprocal addition of attribute fields in access control lists and profiles for femto cell coverage management|
|US8094551||21 Nov 2008||10 Jan 2012||At&T Mobility Ii Llc||Exchange of access control lists to manage femto cell coverage|
|US8108531||7 May 2010||31 Jan 2012||Foundry Networks, Inc.||Securing an access provider|
|US8126496||20 Nov 2008||28 Feb 2012||At&T Mobility Ii Llc||Signaling-triggered power adjustment in a femto cell|
|US8127353||29 Apr 2008||28 Feb 2012||Sourcefire, Inc.||Real-time user awareness for a computer network|
|US8141147||28 Sep 2004||20 Mar 2012||Websense Uk Limited||System, method and apparatus for use in monitoring or controlling internet access|
|US8145777||14 Jan 2005||27 Mar 2012||Citrix Systems, Inc.||Method and system for real-time seeking during playback of remote presentation protocols|
|US8176553||13 Nov 2002||8 May 2012||Mcafee, Inc.||Secure gateway with firewall and intrusion detection capabilities|
|US8179847||15 May 2012||At&T Mobility Ii Llc||Interactive white list prompting to share content and services associated with a femtocell|
|US8185612||30 Dec 2011||22 May 2012||Peerapp Ltd.||Methods and systems for caching data communications over computer networks|
|US8191008||3 Oct 2005||29 May 2012||Citrix Systems, Inc.||Simulating multi-monitor functionality in a single monitor environment|
|US8200828||30 Oct 2009||12 Jun 2012||Citrix Systems, Inc.||Systems and methods for single stack shadowing|
|US8208431||15 Jun 2010||26 Jun 2012||At&T Intellectual Property I, Lp||Intelligent pico-cell for transport of wireless device communications over wireline networks|
|US8208638 *||2 Nov 2004||26 Jun 2012||Jobbagy Miklos||Set of equipment for secure direct information transfer over the internet|
|US8209417 *||8 Mar 2007||26 Jun 2012||Oracle International Corporation||Dynamic resource profiles for clusterware-managed resources|
|US8209745||21 Nov 2008||26 Jun 2012||At&T Mobility Ii Llc||Automatic population of an access control list to manage femto cell coverage|
|US8209756||27 Jan 2005||26 Jun 2012||Juniper Networks, Inc.||Compound attack detection in a computer network|
|US8219094||13 May 2009||10 Jul 2012||At&T Mobility Ii Llc||Location-based services in a femtocell network|
|US8250149||11 Oct 2011||21 Aug 2012||Peerapp Ltd.||Method and system for accelerating receipt of data in a client to client network|
|US8254368||28 Aug 2012||At&T Mobility Ii Llc||Femtocell architecture for information management|
|US8266267||26 Aug 2010||11 Sep 2012||Juniper Networks, Inc.||Detection and prevention of encapsulated network attacks using an intermediate device|
|US8272055||8 Oct 2009||18 Sep 2012||Sourcefire, Inc.||Target-based SMB and DCE/RPC processing for an intrusion detection system or intrusion prevention system|
|US8274958||25 Sep 2012||At&T Mobility Ii Llc||Intra-premises content and equipment management in a femtocell network|
|US8289882||15 Jan 2010||16 Oct 2012||Sourcefire, Inc.||Systems and methods for modifying network map attributes|
|US8296441||30 Oct 2009||23 Oct 2012||Citrix Systems, Inc.||Methods and systems for joining a real-time session of presentation layer protocol data|
|US8296664||10 Aug 2007||23 Oct 2012||Mcafee, Inc.||System, method, and computer program product for presenting an indicia of risk associated with search results within a graphical user interface|
|US8312146||15 Nov 2005||13 Nov 2012||Aspect Software, Inc.||Methods and apparatus for enabling dynamic resource collaboration|
|US8316017||26 Jun 2006||20 Nov 2012||Atmel Corporation||Apparatus and method for the detection of and recovery from inappropriate bus access in microcontroller circuits|
|US8321791||13 Jul 2009||27 Nov 2012||Mcafee, Inc.||Indicating website reputations during website manipulation of user information|
|US8326296||12 Jul 2006||4 Dec 2012||At&T Intellectual Property I, L.P.||Pico-cell extension for cellular network|
|US8331228||11 Dec 2012||At&T Mobility Ii Llc||Exchange of access control lists to manage femto cell coverage|
|US8340130||14 Jan 2005||25 Dec 2012||Citrix Systems, Inc.||Methods and systems for generating playback instructions for rendering of a recorded computer session|
|US8392994||28 Mar 2011||5 Mar 2013||Mcafee, Inc.||System, method and computer program product for context-driven behavioral heuristics|
|US8422851||11 Jan 2010||16 Apr 2013||Citrix Systems, Inc.||System and methods for automatic time-warped playback in rendering a recorded computer session|
|US8429545||10 Aug 2007||23 Apr 2013||Mcafee, Inc.||System, method, and computer program product for presenting an indicia of risk reflecting an analysis associated with search results within a graphical user interface|
|US8433790||11 Jun 2010||30 Apr 2013||Sourcefire, Inc.||System and method for assigning network blocks to sensors|
|US8438499||26 Jan 2006||7 May 2013||Mcafee, Inc.||Indicating website reputations during user interactions|
|US8463296||11 Jun 2013||At&T Mobility Ii Llc||Location-based services in a femtocell network|
|US8474043||28 Aug 2008||25 Jun 2013||Sourcefire, Inc.||Speed and memory optimization of intrusion detection system (IDS) and intrusion prevention system (IPS) rule processing|
|US8478852||20 Aug 2008||2 Jul 2013||At&T Mobility Ii Llc||Policy realization framework of a communications network|
|US8490156||21 Nov 2008||16 Jul 2013||At&T Mobility Ii Llc||Interface for access management of FEMTO cell coverage|
|US8504032||12 Jun 2009||6 Aug 2013||At&T Intellectual Property I, L.P.||Femtocell service registration, activation, and provisioning|
|US8504809||27 May 2010||6 Aug 2013||At&T Mobility Ii Llc||Automated communication configuration|
|US8507953||30 Nov 2010||13 Aug 2013||Globalfoundries Inc.||Body controlled double channel transistor and circuits comprising the same|
|US8510476 *||12 Feb 2002||13 Aug 2013||Brooks Automation, Inc.||Secure remote diagnostic customer support network|
|US8510801||15 Oct 2009||13 Aug 2013||At&T Intellectual Property I, L.P.||Management of access to service in an access point|
|US8516377||15 Sep 2012||20 Aug 2013||Mcafee, Inc.||Indicating Website reputations during Website manipulation of user information|
|US8522312||21 Nov 2008||27 Aug 2013||At&T Mobility Ii Llc||Access control lists and profiles to manage femto cell coverage|
|US8528047||31 Aug 2010||3 Sep 2013||Citrix Systems, Inc.||Multilayer access control security system|
|US8555368 *||9 Dec 2009||8 Oct 2013||Intel Corporation||Firewall filtering using network controller circuitry|
|US8566726||26 Jan 2006||22 Oct 2013||Mcafee, Inc.||Indicating website reputations based on website handling of personal information|
|US8578002||16 Dec 2010||5 Nov 2013||Sourcefire, Inc.||Systems and methods for determining characteristics of a network and enforcing policy|
|US8578444||14 Jun 2012||5 Nov 2013||Info Express, Inc.||Systems and methods of controlling network access|
|US8601034||11 Mar 2011||3 Dec 2013||Sourcefire, Inc.||System and method for real time data awareness|
|US8615159||20 Sep 2011||24 Dec 2013||Citrix Systems, Inc.||Methods and systems for cataloging text in a recorded session|
|US8626223||17 Jul 2008||7 Jan 2014||At&T Mobility Ii Llc||Femto cell signaling gating|
|US8645537||29 Jul 2011||4 Feb 2014||Citrix Systems, Inc.||Deep packet scan hacker identification|
|US8650610||14 Jun 2012||11 Feb 2014||Infoexpress, Inc.||Systems and methods of controlling network access|
|US8655361||26 Jun 2013||18 Feb 2014||At&T Mobility Ii Llc||Femtocell service registration, activation, and provisioning|
|US8671182||22 Jun 2010||11 Mar 2014||Sourcefire, Inc.||System and method for resolving operating system or service identity conflicts|
|US8677450||14 Jun 2012||18 Mar 2014||Infoexpress, Inc.||Systems and methods of controlling network access|
|US8677486||14 Apr 2011||18 Mar 2014||Sourcefire, Inc.||System and method for near-real time network attack detection, and system and method for unified detection via detection routing|
|US8701196||31 Mar 2006||15 Apr 2014||Mcafee, Inc.||System, method and computer program product for obtaining a reputation associated with a file|
|US8719420||13 May 2009||6 May 2014||At&T Mobility Ii Llc||Administration of access lists for femtocell service|
|US8738707 *||28 Jan 2005||27 May 2014||The Invention Science Fund I, Llc||Limited-life electronic mail accounts|
|US8743776||12 Jun 2009||3 Jun 2014||At&T Mobility Ii Llc||Point of sales and customer support for femtocell service and equipment|
|US8755820||13 May 2013||17 Jun 2014||At&T Mobility Ii Llc||Location-based services in a femtocell network|
|US8763082||21 Nov 2008||24 Jun 2014||At&T Mobility Ii Llc||Interactive client management of an access control list|
|US8787342||20 Jul 2012||22 Jul 2014||At&T Mobility Ii Llc||Intra-premises content and equipment management in a femtocell network|
|US8812049||26 Nov 2013||19 Aug 2014||At&T Mobility Ii Llc||Femto cell signaling gating|
|US8812736||3 Feb 2011||19 Aug 2014||Printeron Inc.||Limited-bandwidth electronic data communication system field of the invention|
|US8826154||27 Mar 2012||2 Sep 2014||Mcafee, Inc.||System, method, and computer program product for presenting an indicia of risk associated with search results within a graphical user interface|
|US8826155||6 Aug 2012||2 Sep 2014||Mcafee, Inc.||System, method, and computer program product for presenting an indicia of risk reflecting an analysis associated with search results within a graphical user interface|
|US8826275 *||1 Sep 2011||2 Sep 2014||Ca, Inc.||System and method for self-aware virtual machine image deployment enforcement|
|US8826411 *||15 Mar 2006||2 Sep 2014||Blue Coat Systems, Inc.||Client-side extensions for use in connection with HTTP proxy policy enforcement|
|US8831991||21 Jan 2005||9 Sep 2014||The Invention Science Fund I, Llc||Limited-life electronic mail account as intermediary|
|US8843617||17 Sep 2010||23 Sep 2014||Printeron Inc.||Multi-stage polling mechanism and system for the transmission and processing control of network resource data|
|US8846296||2 May 2012||30 Sep 2014||International Business Machines Corporation||Photoresist compositions|
|US8850046||30 Jan 2012||30 Sep 2014||Foundry Networks Llc||Securing an access provider|
|US8850048||21 May 2013||30 Sep 2014||At&T Mobility Ii Llc||Reciprocal addition of attribute fields in access control lists and profiles for femto cell coverage management|
|US8856878||3 Jul 2013||7 Oct 2014||At&T Intellectual Property I, L.P||Management of access to service in an access point|
|US8856926||20 May 2009||7 Oct 2014||Juniper Networks, Inc.||Dynamic policy provisioning within network security devices|
|US8863235 *||21 Nov 2008||14 Oct 2014||At&T Mobility Ii Llc||Time-dependent white list generation|
|US8897752||7 Nov 2012||25 Nov 2014||At&T Intellectual Property I, L.P.||Pico-cell extension for cellular network|
|US8908700||7 Sep 2007||9 Dec 2014||Citrix Systems, Inc.||Systems and methods for bridging a WAN accelerator with a security gateway|
|US8935316||30 Oct 2009||13 Jan 2015||Citrix Systems, Inc.||Methods and systems for in-session playback on a local machine of remotely-stored and real time presentation layer protocol data|
|US8942180||15 Apr 2014||27 Jan 2015||At&T Mobility Ii Llc||Point of sales and customer support for femtocell service and equipment|
|US8970873||17 Sep 2010||3 Mar 2015||Printeron Inc.||System and method for managing printer resources on an internal network|
|US8984644||28 Sep 2014||17 Mar 2015||Securityprofiling, Llc||Anti-vulnerability system, method, and computer program product|
|US8990354||21 May 2012||24 Mar 2015||Peerapp Ltd.||Methods and systems for caching data communications over computer networks|
|US9019819||13 Nov 2012||28 Apr 2015||At&T Mobility Ii Llc||Exchange of access control lists to manage femto cell coverage|
|US9055094||31 May 2012||9 Jun 2015||Cisco Technology, Inc.||Target-based SMB and DCE/RPC processing for an intrusion detection system or intrusion prevention system|
|US9058138||15 Aug 2013||16 Jun 2015||Printeron Inc.||System and method for releasing print jobs based on location information|
|US9094309||13 Mar 2012||28 Jul 2015||International Business Machines Corporation||Detecting transparent network communication interception appliances|
|US9094891||16 Apr 2014||28 Jul 2015||At&T Mobility Ii Llc||Location-based services in a femtocell network|
|US9100324||18 Oct 2011||4 Aug 2015||Secure Crossing Research & Development, Inc.||Network protocol analyzer apparatus and method|
|US9100431||28 Sep 2014||4 Aug 2015||Securityprofiling, Llc||Computer program product and apparatus for multi-path remediation|
|US20020065874 *||29 Nov 2000||30 May 2002||Andrew Chien||Method and process for virtualizing network interfaces|
|US20020073206 *||10 Sep 2001||13 Jun 2002||Janardhanan Jawahar||Methods and apparatus for enabling dynamic resource collaboration|
|US20020131366 *||6 Jun 2001||19 Sep 2002||Sharp Clifford F.||System and method for traffic management control in a data transmission network|
|US20020133586 *||27 Apr 2001||19 Sep 2002||Carter Shanklin||Method and device for monitoring data traffic and preventing unauthorized access to a network|
|US20020133606 *||5 Mar 2002||19 Sep 2002||Fujitsu Limited||Filtering apparatus, filtering method and computer product|
|US20020133621 *||19 Mar 2001||19 Sep 2002||Expand Networks Ltd||Method and system for accelerating receipt of data in a client to client network|
|US20020143773 *||1 Mar 2001||3 Oct 2002||Steven Spicer||Secure network resource access system|
|US20020144016 *||1 Mar 2001||3 Oct 2002||Steven Spicer||Network resource communication system|
|US20040098619 *||13 Aug 2003||20 May 2004||Trusted Network Technologies, Inc.||System, apparatuses, methods, and computer-readable media for identification of user and/or source of communication in a network|
|US20040131056 *||19 Dec 2003||8 Jul 2004||Deep Nines, Inc.||Intelligent feedback loop process control system|
|US20040162992 *||19 Feb 2003||19 Aug 2004||Sami Vikash Krishna||Internet privacy protection device|
|US20040199790 *||1 Apr 2003||7 Oct 2004||International Business Machines Corporation||Use of a programmable network processor to observe a flow of packets|
|US20040205360 *||8 Mar 2004||14 Oct 2004||Norton Marc A.||Methods and systems for intrusion detection|
|US20040243835 *||28 May 2004||2 Dec 2004||Andreas Terzis||Multilayer access control security system|
|US20050005129 *||1 Jul 2004||6 Jan 2005||Oliphant Brett M.||Policy-protection proxy|
|US20050022010 *||6 Jun 2003||27 Jan 2005||Microsoft Corporation||Multi-layered firewall architecture|
|US20050108688 *||13 Dec 2004||19 May 2005||Microsoft Corporation||Method and system for assigning and publishing applications|
|US20050144297 *||30 Dec 2003||30 Jun 2005||Kidsnet, Inc.||Method and apparatus for providing content access controls to access the internet|
|US20050160289 *||18 Nov 2002||21 Jul 2005||Shay A. D.||System and method for intrusion prevention in a communications network|
|US20050169282 *||9 Jun 2003||4 Aug 2005||Wittman Brian A.||Data traffic filtering indicator|
|US20060209836 *||6 Jun 2006||21 Sep 2006||Juniper Networks, Inc.||Internet security system|
|US20060253784 *||11 Apr 2006||9 Nov 2006||Bower James M||Multi-tiered safety control system and methods for online communities|
|US20070220599 *||15 Mar 2006||20 Sep 2007||Doug Moen||Client-side extensions for use in connection with HTTP proxy policy enforcement|
|US20080222642 *||8 Mar 2007||11 Sep 2008||Oracle International Corporation||Dynamic resource profiles for clusterware-managed resources|
|US20110138455 *||9 Dec 2009||9 Jun 2011||Waskiewicz Peter P||Firewall filtering using network controller circuitry|
|US20120260304 *||13 Feb 2012||11 Oct 2012||Webroot Inc.||Methods and apparatus for agent-based malware management|
|US20130061219 *||1 Sep 2011||7 Mar 2013||Computer Associates Think, Inc.||System and Method for Self-Aware Virtual Machine Image Deployment Enforcement|
|WO2001080480A1 *||23 Mar 2001||25 Oct 2001||James B Joyce||Methods ad apparatus for heuristic firewall|
|WO2002019109A1 *||30 Jul 2001||7 Mar 2002||Netrake Corp||Method for inoculating infected email|
|WO2002061589A1 *||31 Jan 2002||8 Aug 2002||Telcordia Tech Inc||System and method for using sesssion initiation protocol (sip) to communicate with networked appliances|
|WO2013138168A1 *||8 Mar 2013||19 Sep 2013||International Business Machines Corporation||Detecting transparent network communication interception appliances|
|WO2015023253A1 *||12 Aug 2013||19 Feb 2015||Intel Corporation||Managing communications in multiple radio access networks|
|U.S. Classification||713/152, 713/153, 726/11, 709/229|
|International Classification||H04L29/06, H04L12/26|
|Cooperative Classification||H04L63/101, H04L63/0227, H04L63/10, H04L12/2602, H04L43/00|
|European Classification||H04L43/00, H04L63/10, H04L63/10A, H04L63/02B, H04L12/26M|
|9 Sep 1998||AS||Assignment|
Owner name: JSB SOFTWARE TECHNOLOGIES PLC, UNITED KINGDOM
Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:CUNNINGHAM, MARK;TREVARROW, ANDREW;REEL/FRAME:009450/0456
Effective date: 19980907
|13 Feb 2001||AS||Assignment|
|10 Sep 2002||RR||Request for reexamination filed|
Effective date: 20020724
|8 Oct 2004||FPAY||Fee payment|
Year of fee payment: 4
|16 Sep 2008||B1||Reexamination certificate first reexamination|
Free format text: CLAIMS 1, 2, 9, 11, 13 AND 15 ARE DETERMINED TO BE PATENTABLE AS AMENDED. CLAIMS 3-8, 10, 12, 14 AND 16-18, DEPENDENT ON AN AMENDED CLAIM, ARE DETERMINED TO BE PATENTABLE.
|6 Oct 2008||FPAY||Fee payment|
Year of fee payment: 8
|17 Oct 2012||FPAY||Fee payment|
Year of fee payment: 12